You are here

DMZ Server Selector

17 posts / 0 new
Last post
n5mdt
DMZ Server Selector
The node Help file states "If you want to forward every port that is not already in use to a single computer on the LAN, choose that computer's IP Address from the DMZ Server selector.."

Where is the DMZ Server selector? I can't seem to find it.


Thanks
Mark
 
AE6XE
AE6XE's picture
This help section is talking
This help section is talking about LAN in  "NAT" mode.   Once you change to this mode and reboot, then port forwarding has this "DMZ Server" option.   

Joe AE6XE
Image Attachments: 
n5mdt
So, there is no way to put a

So, there is no way to put a direct host into the DMZ?

Could you port forward all ports not otherwise in use to a host and hope for the best? Will the portlow-porthigh format work in port forwarding while in direct host mode?

Edit: I see the portlow-porthigh format is accepted in the Outside port, but not for the LAN port.


Thanks

AE6XE
AE6XE's picture
To clarify just in case, I
To clarify just in case, I believe the context of the "DMZ" for this "LAN" setting is between the greater mesh network and LAN devices (now in "NAT" mode).   It's probably not also a DMZ machine to port forward everything from the internet into this designated machine (WAN, WIFI, or BOTH?).  I need to dig into the code and see what it is doing.    I've not actually ever used this.  It's been in there since BBHN days and it's possible no one has been using this, I trust it still works :) .     

The non-DMZ hosts on the LAN are now protected and can not be reached by other devices on the mesh network. (We could put this detail in the Help...)

Anyone out there actually using this feature?

Joe AE6XE
AE6XE
AE6XE's picture
I dug through the code for
I dug through the code for this DMZ Server setting.  Everything looks good in terms of, "it works".  Just make sure to reboot the node after changing this setting.   The DMZ designated host (on the LAN in 'NAT' mode) is then reachable from the rest of the mesh network.   This setting does not allow any additional traffic from the WAN side.   There is no such setting to designate a DMZ host for the WAN.   

Joe AE6XE
n5mdt
Thanks Joe, and that's what I
Thanks Joe, and that's what I was hoping for. A host on the mesh side in the DMZ for the WAN.

What I really need to do is be able to port forward Protocol #4 through the node to a Mesh Host. (RFC 2003) That would allow AMPR Net endpoints on the MESH host while also running a BPQ Node on a windows machine.

If anyone else has done this I would be interested to know how it was done.


Mark


 
AE6XE
AE6XE's picture
Mark,  let's make sure a
Mark,  let's make sure a simpler solution doesn't already exist.    I'm not sure if this is the scenario you are thinking, if not can you clarify the applications in use on the mesh and ampr that you want to integrate?.   A mesh device can reach out to an AMPR (internet routable address) to make a client->server type connection without any port forwards, DMZ, or other tunneling complexities.   This assumes you have a mesh gateway node and the WAN side can reach or route to the 44.x.x.x address.     

For example, there could be a winlink post office box at an AMPR address.    This postoffice box might be (or might not be) on an isolated network and not attached to the internet, rather is a network only on the WAN side of the mesh node-gateway.    Install winlink express client on a computer on the mesh network.   This winlink express application can do a telnet connection to the 44.x.x.x winlink postoffice box to send/receive messages.  

Joe AE6XE
n5mdt
Thanks to Joe for helping me

Thanks to Joe for helping me work this out. I now have it working well.

What is working is a mesh node in Direct Host mode with a Windows host running BPQ (not hard because the right configuration does this easily,) and the BPQ process is providing an IPENCAP address for the AMPR network using 44.x.x.x addressing. This is not so easy due to it requiring the passage of IPENCAP protocol packets which is commonly blocked by low end routers, including Ubiquiti hardware.

The fix was a simple custom IPTABLES rule that allows the packets. The downside is that the node is placed in the DMZ of a router, or connected directly to the internet making it vulnerable to port scanners, etc. And there are certain ports open to the WAN by default which most would likely not want open (i.e. 2222, 8080, etc.)

Rather than publish the fix for this, which requires a little more than many can do without assistance, I'll leave it to Joe to pass along the solution to those that desire it. It could show up in a future release of the firmware though, since the custom rule that it took to accomplish this will be overwritten by firmware updates.

Thanks Joe!


Mark

al0y
I am sorry to bring this

I am sorry to bring this topic again after a year ... 

But I have exactly the same situation. I am currently running a FLEXNET node on a linux computer, this computer is in DMZ mode for my home router to have a 44.x.x.x IP address from the AMPRnet. As mentioned by Mark above, the DMZ mode is required to pass IPENCAP packets. 
On the same home router, I have the AREDN node connected as a sibling to the FLEXNET node.

This makes the FLEXNET unreachable on the mesh side, and vice versa. 

I would like to move the flexnet node to become a direct client of the AREDN node to become reachable to mesh, while having it in DMZ mode for the WAN (I will put the AREDN node in DMZ mode in home router then).

I believe Joe had a solution for Mark on this using IP tables, would you, fellas, be kind enough to share with me? 
Also, would these new iptables rules survice a firmware upgrade for the AREDN node?


Thanks in advance. 

AE6XE
AE6XE's picture
This implementation will
This implementation will survive a sysupgrade process to load newer firmware versions, yes.  59-custom-rules is preserved. 
 
1) initialize this script below with the correct IP addresses  -- see comments
2) upload the below script to the mesh gateway node into this file (add to or replace existing contents): "/etc/local/mesh-firewall/59-custom-rules"
3) "chmod 755 /etc/local/mesh-firewall/59-custom-rules"
4) reboot node or "/etc/init.d/firewall restart"
5) this node's WAN must be the home router's defined DMZ host (or protocol 4 packets forwarded, if the router has this ability)

------------------------------- 59-custom-rules ---------content------------------
#!/bin/sh
#
# BPQ amprNET port forwards
#
# replace the following with the appropriate IP address
# <ip-address-1>  = IP address of amprNET BPQ virtual adaptor address somewhere on the mesh
# <ip-address-2>  = IP address of this mesh node's WIFI interface
# <ip-address-3>  = IP address of this mesh node's DTDLINK interface
#
# rules to forward layer 3 protocol 4 packets (ipip packets) from WAN to BPQ amprNET virtual adaptor somewhere on mesh network
iptables -t nat -A zone_wan_prerouting -p 4 -j DNAT --to <ip-address-1>  -m comment --comment "amprNET ipip forward to BPQ host"
 
# if the BPQ host is not on the LAN of this node, uncomment the approprate rule, or both to cover the possibilities
#iptables -t nat -A zone_wifi_postrouting -p 4 -d <ip-address-1> -j SNAT --to-source <ip-address-2> -m comment --comment "amprNET ipip forward to BPQ host"
#iptables -t nat -A zone_dtdlink_postrouting -p 4 -d <ip-address-1> -j SNAT --to-source <ip-address-3> -m comment --comment "amprNET ipip forward to BPQ host"
----------------------------end content--------------------------------------------------------
al0y
Thanks a lot, Joe .... 
Thanks a lot, Joe .... 

This is exactly what I needed. 
AE6XE
AE6XE's picture
Some might not be familiar
Some might not be familiar with the BPQ32.exe software and amprNET networking.    To summarize at a high level, the end result is a Mesh Windows computer (could be linux or mac too) that:

1) can communicate to all the services across the AREDN mesh network, and host mesh services for other mesh'ers to access (has a 10.x.x.x address)
2) can do the same across amprNET accessing 44.x.x.x devices and vice versa (computer also has a 44.x.x.x address)
3) Is NOT routing traffic or giving direct access between the mesh and amprNET -- this is not joining the mesh network with amprNET by design.

For future investigation it would be possible to configure BPQ32.exe such that a mesh node's LAN network and respective devices, the subnet, was known across both the mesh and amprNet.   There are settings in BPQ32.exe to NAT the 44.x.x.x/28 subnet to the respective 10.x.x.x/28 subnet.

Joe AE6XE


 
KS4YP
What is the main page
Cant find main page of this network to see who is on line
K6AH
K6AH's picture
The Mesh Status page (http:/
The Mesh Status page (http://localnode.local.mesh:8080/cgi-bin/mesh) lists the nodes and services.  The Help link will also be useful to you (http://localnode.local.mesh:8080/help.html).
n5mdt
Joe,
Joe,

This no longer works after a firmware update. Looking into the firewall there is no longer a zone_wan_prerouting

Should this still be working? After applying the IPTABLES rule by hand, then listing the IPTABLES I cannot find where it applied the rule. Is there an updated IPTABLES rule and should it now go into the firewall-users file/directory?


Thanks
Mark
 
AE6XE
AE6XE's picture
Mark,  there are multiple
Mark,  there are multiple tables to review.  You may be looking at the default "filter", but need to show the "nat" table for this information.  Try this command:

iptables -L -v -t nat

Reference material that may be helpful:
https://en.wikipedia.org/wiki/Netfilter
http://www.netfilter.org/

Joe AE6XE
n5mdt
Thanks Joe.... it is there
Thanks Joe.... it is there with that command. In fact, it is there 3 times.

Now I just have to figure out why it was failing...I'm sure it is in the computer now, and not the Mesh node.


Mark
 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer